Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Recently Struggling With Spam
  •  
mbad1

Messages: 36
Karma: 0
Send a private message to this user
Have several clients and most ok but one a little troublesome

Getting 100 - 200 spam per day so I cranked up the spam filter a little bit but it's still not helping. Any ideas based on settings below or anything I can add.

Running Kerio Connect.

Tag Score 4.1 - Block Score 7.3
(Enable rating of messages from trustworthy relay agents defined in smtp ticked)

Blacklists
Barracuda central (INcrease by 4.0)
Sorbs DNSBL increase by 4.9
Sorbs RHSBL BLOCK
Spamcop BLOCK
Spamhaul SBL-XBL - BLOCK
WPLBL INcrease by 2.6

Spamassasin - Ticked ON - Messages learned 17000, Not learned 5700 (So looks good!!)

Caller ID was on but turned off after reading about issues. (Made no difference while on anyway)

Enabled SPF - Was set to add 3 to score but just increased to 6.5 see if that helps.
Ticked dont check SPF from local network

Spam Repellent 21 seconds for external sources.

Any ideas ?? Is my setup about right ?

  •  
freakinvibe

Messages: 1524
Karma: 60
Send a private message to this user
Looks quite good. With the Spamhaus Blacklist, use

zen.spamhaus.org

instead of sbl-xbl. This covers all their safe block lists.

You should also analyse the headers of the mails that come through.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Not all spam that are rejected or filtered by SpamAssassin gets learned. I.e. not every spam triggers autolearning, no matter the score. Because of this, you should also consider sending a copy of everything that's rejected into a public folder so you can drag its contents to your Junk Mail folder every now and then.

We've changed the BAYES_99 score to a notch above the filter threshold so these spams are filtered even if only the Bayes "full score" rule triggers.

Just put:

score     BAYES_99     4.2


in the file local.cf and restart the kerio service/daemon.

Another tip is to trawl the logs looking for attempts to send spam to random usernames. You'll likely find some unknown recipients repeating. Set up an alias with delivery to the aforementioned public folder for these. You just made a poor man's spamtrap Wink
  •  
mbad1

Messages: 36
Karma: 0
Send a private message to this user
Yes they have put hundreds manually into junk mail and marked as not junk or junk (Possibly thousands.).
The Spamhaus one is the Kerio default list. Only one I have added is Barracuda.
Check the user box see if they are catching others mail (as forwards etc but nothing there).

I'll see if I can check the logs and starts dumping them into a postmaster folder that gets deleted every 7 days or something. Only problem with that is you can spend hours making a note of IP addresses that are trying to spam us and put a rule or block in but they will just change IP's by the hour anyway. It might help get a few more learnt though.
  •  
mbad1

Messages: 36
Karma: 0
Send a private message to this user
What abopt blocking China IP's - I've seen some talk of it but the list that everyone used seems to not be in use anymore. This kerio install is a simple small office environment so the lists are great as there is no DNS zones and all that malarky, just a kerio server against the spammers.

I've even found a website with pages of ip's to use (okean.com) - Can I make my own local text list and subscribe it somehow as I don't see an option.
  •  
mbad1

Messages: 36
Karma: 0
Send a private message to this user
Just as an update I have found the UCE network and put in dnslbl-1.uceprotect.net and ips.backscatter.org with a increase score rating so will let you know how well they work
  •  
sonofcolin

Messages: 483
Karma: 0
Send a private message to this user
  •  
macgvr

Messages: 29
Karma: -1
Send a private message to this user
  •  
macgvr

Messages: 29
Karma: -1
Send a private message to this user
One thing I found was that if the ISP provides backup MX service it will seriously interfere with spam filtering. Backup MX is nice in that it provides for email continuity should your email server be down for an extended period. Unfortunately, because of the way the backup MX works, it messes with the SMTP greeting delay and other anti-spam features. The users were getting 50 or more spam a day in their Inbox and really complaining about it. When the ISP turned the backup MX feature off the spam per day dropped to one or two.

PS. - Sorry about the previous blank message, hit Submit Reply by mistake.
  •  
mbad1

Messages: 36
Karma: 0
Send a private message to this user
Thanks guys.

Really good suggestions and links and hopefully others will find it useful next time they search for SPAM !!

Using the new list it hit the sweet spot for this particular group of spammers so all much better now.

Thanks again.
  •  
rethaew

Messages: 14
Karma: 0
Send a private message to this user
Expanding on blocking China, since my business is only in the United States, I have a custom black list of these countries which seem to generate a lot of spam:
China
Russia
Brazil
Argentina
and known open proxies

This is interesting. I would block the United States if I could.
http://www.spamhaus.org/statistics/countries.lasso
  •  
id t

Messages: 50
Karma: 0
Send a private message to this user
mbad1 wrote on Mon, 12 April 2010 21:20
Just as an update I have found the UCE network and put in dnslbl-1.uceprotect.net and ips.backscatter.org with a increase score rating so will let you know how well they work


Don't! UCE is a blackmailing business (they ask you MONEY to opt-out of their list, and they put you in the "bad boys" list with absolutely no reason) and they are already sued in Germany, where their servers are located. If you use their list you are 100% sure that you are rejecting legitimate email sources.
  •  
heze54

Messages: 220
Karma: 0
Send a private message to this user
You can use the new spamhaus service dbl.

Try it!! It works fine fine!!!
  •  
freakinvibe

Messages: 1524
Karma: 60
Send a private message to this user
The new Spamhaus DBL can only be used for URLs within mail, similar to SURBL or URIBL, only domains can be looked up, no IP addresses.

So you can NOT use it in your KMS list of BLs. It only works in the latest version of Spam Assassin (3.3.1) which is not yet in KMS.

So, I guess it will be implemented in a later version of Kerio Connect.

See Spamhaus FAQ: http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%2 0DBL

[Updated on: Thu, 15 April 2010 09:28]


Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
macgvr

Messages: 29
Karma: -1
Send a private message to this user
id t wrote on Wed, 14 April 2010 17:23
mbad1 wrote on Mon, 12 April 2010 21:20
Just as an update I have found the UCE network and put in dnslbl-1.uceprotect.net and ips.backscatter.org with a increase score rating so will let you know how well they work


Don't! UCE is a blackmailing business (they ask you MONEY to opt-out of their list, and they put you in the "bad boys" list with absolutely no reason) and they are already sued in Germany, where their servers are located. If you use their list you are 100% sure that you are rejecting legitimate email sources.

That's not exactly correct. Uceprotect entries go away after 7 days for free, if there is no more spam sent. Adding them to your filtering system can help catch mail that the others don't. Their accuracy is excellent but if you are not sure, you can use them on a trial by choosing to add points rather than block. That is how I am starting and will evaluate how well they do on our system.
Previous Topic: Invaluement Internet Blacklists
Next Topic: Modifying the "Recover Deleted Items" date
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Sep 20 07:50:58 CEST 2017

Total time taken to generate the page: 0.00565 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.